Commit Graph

6 Commits

Author SHA1 Message Date
Nelson Elhage 0a2476b20e Restore the 0.2 TLS verification behavior.
Namely, don't check the DNS names in TLS certificates when connecting to
other servers.

As of golang 1.3, crypto/tls no longer natively supports doing partial
verification (verifying the cert issuer but not the hostname), so we
have to disable verification entirely and then do the issuer
verification ourselves. Fortunately, crypto/x509 makes this relatively
straightforward.

If the "server_name" configuration option is passed, we preserve the
existing behavior of checking that server name everywhere.

No option is provided to retain the current behavior of checking the
remote certificate against the local node name, since that behavior
seems clearly buggy and unintentional, and I have difficulty imagining
it is actually being used anywhere. It would be relatively
straightforward to restore if desired, however.
2014-06-28 13:32:42 -07:00
Armon Dadgar 37ad00d66d consul: Ensure Raft also uses TLS connections 2014-04-07 15:06:59 -07:00
Armon Dadgar 786755ebcd Check for error when sending RPC byte 2014-01-10 12:09:19 -08:00
Armon Dadgar c28ebbf60f consul: Write the byte to set the RPC mode 2013-12-09 14:29:20 -08:00
Armon Dadgar 6e9d7dc0fd consul: RaftLayer does not use ConnPool 2013-12-09 14:25:59 -08:00
Armon Dadgar 7f4adceae8 consul: sharing the RPC layer between Consul/Raft 2013-12-09 13:13:40 -08:00